Microsoft continues to work on a fix for a vulnerability in its Internet Explorer browser that cyber-attackers are already exploiting. In the meantime, the federal government recommended that people use browsers other than IE or put recommended workarounds into place.
The U.S. Computer Emergency Readiness Team (CERT), part of the Department of Homeland Security, on Monday said the vulnerability affects IE versions 6 through 11 and “could lead to the complete compromise of an affected system.”
“By convincing a user to view a specially crafted HTML document (e.g., a Web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code,” CERT said.
This form of attack, known as “remote code execution,” allows attackers to execute code on a machine without the victim knowing about it.
- Mariners fire general manager Jack Zduriencik
- Mariners demote struggling catcher Mike Zunino
- Now comes the hard part for the Mariners: Hiring Jack Zduriencik’s replacement
- Why Russell Wilson needs to water down his Recovery claims
- Animated map: How the wildfires in North Central Washington have grown over time
Most Read Stories
Those who can’t implement the measures should consider using alternate browsers, CERT said.
The U.K. government issued a similar advisory Monday.
Microsoft did not give an estimate for when a fix would be available, but did say it was investigating and that the attacks are limited and targeted.
“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security-update release process, or an out-of-cycle security update, depending on customer needs,” the company said in its security advisory.
Any fix Microsoft issues will not cover Windows XP, since Microsoft ended support April 8 for the nearly 13-year-old operating system and is no longer issuing security updates for it.
The IE vulnerability — and the fact that cyber-attackers are already exploiting it — was discovered Friday night by cybersecurity firm FireEye, which notified Microsoft on Saturday, said Kyrksen Storer, a FireEye spokesman.
FireEye had discovered attacks on IE 9 to 11, while Microsoft subsequently found the vulnerability involves all versions of IE from 6 to 11.
Though statistics on browser usage can vary from company to company, one of them — NetMarketShare — says IE 6 to 11 represents about 56 percent of the desktop browser market share.
Since the investigation is ongoing, FireEye declined to say much about who the attackers are and who they’re targeting, other than to say they appear to have aimed their efforts at a limited set of people for a specific purpose.
FireEye added that the group responsible “has been the first group to have access to a select number of browser-based zero-day exploits (e.g. IE, Firefox, and Flash) in the past. They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”
“Zero-day exploits” are when cybercriminals exploit previously unknown vulnerabilities in software before the weaknesses can be patched.
Earlier, FireEye had said the targeted attacks seemed to be aimed at U.S.-based firms tied to defense and financial sectors, according to a Reuters report.
Nonetheless, cybersecurity experts are warning consumers, as well as businesses, to take cautionary measures.
“Because of how widespread the vulnerability is, … consumers should be mindful of their browser settings if they use Internet Explorer and follow Microsoft’s guidance for mitigating the issue as they wait for a patch,” said FireEye’s Storer.
Now that the vulnerability is known, “there are cyber-attackers — criminals — in a race to write their own attack tools and attack even the average consumer,” said Aviv Raff, chief technology officer of cybersecurity firm Seculert.
Microsoft, in a blog post, said its Enhanced Protection Mode, which is on by default in IE 10 and 11, and its Enhanced Mitigation Experience Toolkit (EMET) 4.1 and EMET 5.0 Technical Preview, should provide protection.
“We also encourage you to follow the ‘Protect Your Computer’ guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software,” the blog post says.
“Additionally, we encourage everyone to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders.”
Janet I. Tu: 206-464-2272 or email@example.com. On Twitter @janettu.